Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

- --Threat Hunting & Incident Response Summit & Training | New Orleans, LA | April 12-19, 2016 | Will you be the hunter or the prey? Two days of Summit talks and 6 courses; including the new FOR578 Cyber Threat Intelligence course. http://www.sans.org/u/dgM

Pescatore First Look: Sowing Security Actually Matters

Here in the Washington DC area, the General Manager of the Washington Metro (subway) system, Paul J. Wiedefeld, made the difficult and disruptive decision to shut the entire system down all day Wednesday, after an early morning fire in track jumper cables convinced him that a previous inspection for vulnerabilities in those cables must have missed some cables in dangerous condition. During the shutdown, inspectors identified 26 areas where electrical cables or the boots that connect them to the third rails were damaged or frayed, three of which Wiedefeld called "show stoppers" that would have caused a shutdown of train service in those areas if discovered in the course of routine inspections.
************************** SPONSORED LINKS ******************************** 1) Mobile Data Loss - Threats & Countermeasures. Thursday, March 24, 2016 at 1:00 PM EDT (17:00:00 UTC) with Michael Raggo. http://www.sans.org/info/184327

Coding Bootcamps May Not Deliver on Promises (March 17, 2016)

Coding bootcamps have become popular over the past several years. These programs promise to teach people how to be coders and suggest that they are the path to a steady job with a good salary. The time frame is short: most bootcamps run from three to six months. However, companies seeking to hire capable coders are finding that those who have attended bootcamp do not meet their hiring needs. Four-year computer science programs offer far greater depth and breadth for students, increasing the likelihood that they will be suited for jobs in the industry when they graduate. -https://www.washingtonpost.com/news/the-switch/wp/2016/03/17/why-students-are-throwing-tons-of-money-at-a-program-that-wont-give-them-a-college-degree/[Editor's Note (Murray): On the other hand, CS programs are not doing a good job of teaching secure coding. As a developer, I preferred to train my own. (Honan): As with quality, there are no shortcuts to good security. ]

Ransomware Used Backdoored Encryption (March 16, 2016)

A ransomware creator made the mistake of using encryption code developed by someone who deliberately left a backdoor in the code. When the developer learned that his code was being used in ransomware, he used the backdoor to find the decryption keys, which he has made available. -http://www.theregister.co.uk/2016/03/16/locky_ransomware_undone_for_now/-https://www.grahamcluley.com/2016/03/ransomware-author-decryption-keys/[Editor's Note (Williams): There's a cautionary tale here for organizations that incorporate open source code into their own projects. While I love open source code, I don't just integrate it into my own projects without testing and vetting. In this case, it's very easy to laugh at the victim (since they predators themselves). But if the headline were "backdoored encryption code library used in banking application" our response would be very different. Vigorous code auditing standards should be adopted and followed prior to including external libraries in your own projects. (Honan): A good example to the various governments looking for backdoors into encryption as to why it is such a bad idea. ]

Limiting Use of Encryption is Futile (March 15, 2016)

The US government's push to weaken encryption is unlikely to have any effect on terrorists or on anyone determined enough to look outside US borders for products that take privacy seriously. Any US mandate regarding encryption will apply only to products made domestically. -https://www.washingtonpost.com/news/the-switch/wp/2016/03/15/why-the-government-cant-actually-stop-terrorists-from-using-encryption/ In a report published in February, "A Worldwide Survey of Encryption Products," Bruce Schneier, Kathleen Seidel, and Saranya Vijayakumar concluded, "It is easy to purchase products, especially software products, that are sold anywhere in the world from everywhere in the world. Encryption products come from all over the world. Any national law mandating encryption backdoors will overwhelmingly affect the innocent users of those products. Smart criminals and terrorists will easily be able to switch to more-secure alternatives." -https://www.schneier.com/cryptography/archives/2016/02/a_worldwide_survey_o.html[Editor's Note (Pescatore): Even former Director of NSA Gen. Michael Hayden has come around to this reality. From as far back as the prohibition era where moonshiners souped up their cars to be faster than law enforcement, every technology will get used by both the good guys and the bad guys. Part, not all, of the reason it is still so hard for businesses to persistently encrypt data is that export controls in the 1990s set progress back for the good guys a decade or more. ]

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/